tls resumption with external session cache

api/BUILD

@@ -121,6 +121,7 @@ proto_library(
         "//envoy/config/retry/previous_hosts/v2:pkg",
         "//envoy/config/route/v3:pkg",
         "//envoy/config/tap/v3:pkg",
+        "//envoy/config/tls_session_cache/v3:pkg",
         "//envoy/config/trace/v3:pkg",
         "//envoy/config/upstream/local_address_selector/v3:pkg",
         "//envoy/data/accesslog/v3:pkg",
@@ -365,6 +366,7 @@ proto_library(
         "//envoy/service/secret/v3:pkg",
         "//envoy/service/status/v3:pkg",
         "//envoy/service/tap/v3:pkg",
+        "//envoy/service/tls_session_cache/v3:pkg",
         "//envoy/service/trace/v3:pkg",
         "//envoy/type/http/v3:pkg",
         "//envoy/type/matcher/v3:pkg",

api/envoy/config/tls_session_cache/v3/BUILD

@@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "@com_github_cncf_xds//udpa/annotations:pkg",
+    ],
+)

api/envoy/config/tls_session_cache/v3/tls_session_cache.proto

@@ -0,0 +1,28 @@
+syntax = "proto3";
+
+package envoy.config.tls_session_cache.v3;
+
+import "envoy/config/core/v3/grpc_service.proto";
+
+import "google/protobuf/duration.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.config.tls_session_cache.v3";
+option java_outer_classname = "TlsSessionCacheProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/tls_session_cache/v3;tls_session_cachev3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: TLS session cache service]
+
+message TlsSessionCacheConfig {
+  // The timeout in milliseconds for the TLS session cache service RPC. If not
+  // set, this defaults to 20ms.
+  google.protobuf.Duration timeout = 1;
+
+  // Specifies the gRPC service that hosts the TLS session cache service. The client
+  // will connect to this cluster when it needs to look up TLS session.
+  core.v3.GrpcService grpc_service = 2 [(validate.rules).message = {required: true}];
+}

api/envoy/extensions/transport_sockets/tls/v3/BUILD

@@ -8,6 +8,7 @@ api_proto_package(
     deps = [
         "//envoy/annotations:pkg",
         "//envoy/config/core/v3:pkg",
+        "//envoy/config/tls_session_cache/v3:pkg",
         "//envoy/type/matcher/v3:pkg",
         "@com_github_cncf_xds//udpa/annotations:pkg",
     ],

api/envoy/extensions/transport_sockets/tls/v3/tls.proto

@@ -4,6 +4,7 @@ package envoy.extensions.transport_sockets.tls.v3;
 
 import "envoy/config/core/v3/address.proto";
 import "envoy/config/core/v3/extension.proto";
+import "envoy/config/tls_session_cache/v3/tls_session_cache.proto";
 import "envoy/extensions/transport_sockets/tls/v3/common.proto";
 import "envoy/extensions/transport_sockets/tls/v3/secret.proto";
 
@@ -63,7 +64,7 @@ message UpstreamTlsContext {
   google.protobuf.BoolValue enforce_rsa_key_usage = 5;
 }
 
-// [#next-free-field: 12]
+// [#next-free-field: 13]
 message DownstreamTlsContext {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.auth.DownstreamTlsContext";
@@ -145,6 +146,10 @@ message DownstreamTlsContext {
   // Setting this to true would allow the downstream client's preferred cipher to be used instead.
   // Has no effect when using TLSv1_3.
   bool prefer_client_ciphers = 11;
+
+   // Config for external TLS session cache.
+  config.tls_session_cache.v3.TlsSessionCacheConfig session_cache_service = 12;
+
 }
 
 // TLS key log configuration.

api/envoy/service/tls_session_cache/v3/BUILD

@@ -0,0 +1,10 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    has_services = True,
+    deps = ["@com_github_cncf_xds//udpa/annotations:pkg"],
+)

api/envoy/service/tls_session_cache/v3/tls_session_cache.proto

@@ -0,0 +1,59 @@
+syntax = "proto3";
+
+package envoy.service.tls_session_cache.v3;
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.service.tls_session_cache.v3";
+option java_outer_classname = "TlsSessionCacheProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/service/tls_session_cache/v3;tls_session_cachev3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: TLS session cache service]
+
+service TlsSessionCacheService {
+  rpc TlsSessionStore(TlsSessionRequest) returns (TlsSessionResponse) {
+  }
+
+  rpc TlsSessionFetch(TlsSessionRequest) returns (TlsSessionResponse) {
+  }
+}
+
+enum TYPE {
+  // The request type to store a session to the cache.
+  STORE = 0;
+
+  // The request type to fetch a session from the cache.
+  FETCH = 1;
+}
+
+enum CODE {
+  // The response code to notify that the session id is added .
+  OK = 0;
+
+  // The session id already exits in the session cache, unlikely to happen.
+  ALEADY_EXIST = 1;
+
+  // The response code to notify that the session id is not found in session cache.
+  NOT_FOUND = 2;
+}
+
+message TlsSessionRequest {
+  TYPE type = 1;
+
+  // The TLS session id
+  string session_id = 2;
+
+  bytes session_data = 3;
+}
+
+message TlsSessionResponse {
+  TYPE type = 1;
+
+  CODE code = 2;
+
+  string session_id = 3;
+
+  bytes session_data = 4;
+}

api/versioning/BUILD

@@ -59,6 +59,7 @@ proto_library(
         "//envoy/config/retry/previous_hosts/v2:pkg",
         "//envoy/config/route/v3:pkg",
         "//envoy/config/tap/v3:pkg",
+        "//envoy/config/tls_session_cache/v3:pkg",
         "//envoy/config/trace/v3:pkg",
         "//envoy/config/upstream/local_address_selector/v3:pkg",
         "//envoy/data/accesslog/v3:pkg",
@@ -304,6 +305,7 @@ proto_library(
         "//envoy/service/secret/v3:pkg",
         "//envoy/service/status/v3:pkg",
         "//envoy/service/tap/v3:pkg",
+        "//envoy/service/tls_session_cache/v3:pkg",
         "//envoy/service/trace/v3:pkg",
         "//envoy/type/http/v3:pkg",
         "//envoy/type/matcher/v3:pkg",

docs/root/api-v3/config/config.rst

@@ -48,3 +48,4 @@ Extensions
   watchdog/watchdog
   load_balancing_policies/load_balancing_policies
   cluster_specifier/cluster_specifier
+  tls_session_cache/tls_session_cache

docs/root/api-v3/config/tls_session_cache/tls_session_cache.rst

@@ -0,0 +1,8 @@
+TLS session cache
+=================
+
+.. toctree::
+  :glob:
+  :maxdepth: 2
+
+  ../../config/tls_session_cache/v3/*

docs/root/api-v3/service/service.rst

@@ -18,4 +18,5 @@ Services
   runtime/v3/*
   ../config/tap/v3/*
   tap/v3/*
+  tls_session_cache/v3/*
   trace/v3/*

envoy/ssl/context_config.h

@@ -209,6 +209,12 @@ class ServerContextConfig : public virtual ContextConfig {
    * @return a factory which can be used to create TLS context provider instances.
    */
   virtual TlsCertificateSelectorFactory tlsCertificateSelectorFactory() const PURE;
+
+  virtual bool enableTlsSessionCache() const PURE;
+
+  virtual const envoy::config::core::v3::GrpcService& tlsSessionCacheGrpcService() const PURE;
+
+  virtual std::chrono::milliseconds tlsSessionCacheGrpcTimeout() const PURE;
 };
 
 using ServerContextConfigPtr = std::unique_ptr<ServerContextConfig>;

source/common/tls/BUILD

@@ -210,10 +210,12 @@ envoy_cc_library(
         "//source/common/network:cidr_range_lib",
         "//source/common/protobuf:utility_lib",
         "//source/common/runtime:runtime_features_lib",
+        "//source/common/ssl:tls_certificate_config_impl_lib",
         "//source/common/stats:symbol_table_lib",
         "//source/common/stats:utility_lib",
         "//source/common/tls/cert_validator:cert_validator_lib",
         "//source/common/tls/private_key:private_key_manager_lib",
+        "//source/common/tls/session_cache:tls_session_cache_lib",
         "@com_github_google_quiche//:quic_core_crypto_proof_source_lib",
         "@envoy_api//envoy/admin/v3:pkg_cc_proto",
         "@envoy_api//envoy/type/matcher/v3:pkg_cc_proto",
@@ -227,13 +229,15 @@ envoy_cc_library(
         "server_context_impl.cc",
     ],
     hdrs = [
+        "context_config_impl.h",
         "default_tls_certificate_selector.h",
         "server_context_impl.h",
     ],
     deps = [
         ":context_lib",
         "//source/common/tls/ocsp:ocsp_lib",
         "@envoy_api//envoy/admin/v3:pkg_cc_proto",
+        "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto",
         "@envoy_api//envoy/type/matcher/v3:pkg_cc_proto",
     ],
     alwayslink = 1,  # has factory registration

source/common/tls/context_impl.cc

@@ -426,6 +426,14 @@ int ContextImpl::sslSocketIndex() {
   }());
 }
 
+int ContextImpl::sslSessionCacheIndex() {
+  CONSTRUCT_ON_FIRST_USE(int, []() -> int {
+    int ssl_session_cache_index = SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
+    RELEASE_ASSERT(ssl_session_cache_index >= 0, "");
+    return ssl_session_cache_index;
+  }());
+}
+
 std::vector<uint8_t> ContextImpl::parseAlpnProtocols(const std::string& alpn_protocols,
                                                      absl::Status& parse_status) {
   if (alpn_protocols.empty()) {
@@ -548,6 +556,7 @@ void ContextImpl::logHandshake(SSL* ssl) const {
 
   if (SSL_session_reused(ssl)) {
     stats_.session_reused_.inc();
+    ENVOY_LOG(debug, "Handshake with session resumption: {}", SSL_get_version(ssl));
   }
 
   incCounter(ssl_ciphers_, SSL_get_cipher_name(ssl), unknown_ssl_cipher_);

source/common/tls/context_impl.h

@@ -21,6 +21,7 @@
 #include "source/common/stats/symbol_table.h"
 #include "source/common/tls/cert_validator/cert_validator.h"
 #include "source/common/tls/context_manager_impl.h"
+#include "source/common/tls/session_cache/session_cache.h"
 #include "source/common/tls/stats.h"
 
 #include "absl/synchronization/mutex.h"
@@ -95,6 +96,8 @@ class ContextImpl : public virtual Envoy::Ssl::Context,
   static int sslExtendedSocketInfoIndex();
 
   static int sslSocketIndex();
+
+  static int sslSessionCacheIndex();
   // Ssl::Context
   absl::optional<uint32_t> daysUntilFirstCertExpires() const override;
   Envoy::Ssl::CertificateDetailsPtr getCaCertInformation() const override;

source/common/tls/server_context_config_impl.cc

@@ -159,6 +159,15 @@ ServerContextConfigImpl::ServerContextConfigImpl(
         std::chrono::seconds(DurationUtil::durationToSeconds(config.session_timeout()));
   }
 
+  if (config.has_session_cache_service()) {
+    tls_session_cache_grpc_timeout_ = std::chrono::milliseconds(
+        DurationUtil::durationToMilliseconds(config.session_cache_service().timeout()));
+    tls_session_cache_grpc_service_ = config.session_cache_service().grpc_service();
+    enable_tls_session_cache_ = true;
+  } else {
+    enable_tls_session_cache_ = false;
+  }
+
   if (config.common_tls_context().has_custom_tls_certificate_selector()) {
     // If a custom tls context provider is configured, derive the factory from the config.
     const auto& provider_config = config.common_tls_context().custom_tls_certificate_selector();

source/common/tls/server_context_config_impl.h

@@ -45,6 +45,16 @@ class ServerContextConfigImpl : public ContextConfigImpl, public Envoy::Ssl::Ser
 
   Ssl::TlsCertificateSelectorFactory tlsCertificateSelectorFactory() const override;
 
+  bool enableTlsSessionCache() const override { return enable_tls_session_cache_; }
+
+  const envoy::config::core::v3::GrpcService& tlsSessionCacheGrpcService() const override {
+    return tls_session_cache_grpc_service_;
+  }
+
+  std::chrono::milliseconds tlsSessionCacheGrpcTimeout() const override {
+    return tls_session_cache_grpc_timeout_;
+  }
+
 private:
   ServerContextConfigImpl(
       const envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext& config,
@@ -76,6 +86,9 @@ class ServerContextConfigImpl : public ContextConfigImpl, public Envoy::Ssl::Ser
   const bool disable_stateless_session_resumption_;
   const bool disable_stateful_session_resumption_;
   bool full_scan_certs_on_sni_mismatch_;
+  bool enable_tls_session_cache_;
+  envoy::config::core::v3::GrpcService tls_session_cache_grpc_service_;
+  std::chrono::milliseconds tls_session_cache_grpc_timeout_;
   const bool prefer_client_ciphers_;
 };